Local councils report only 55 of 1,035 data losses

Local authorities have lost personal information on residents more than 1,000 times in the past three years, but only 55 of the breaches were reported to the UK data protection watchdog, according to a new report.

Big Brother Watch has found inconsistencies in the reporting of serious data breaches at local authorities in a new report.

Big Brother Watch found out through freedom of information requests that 132 local authorities, including 35 councils, saw 1,035 data losses or thefts between July 2008 and July 2011, it said in a report (PDF) published on Wednesday.

"Some of the incidents involved social care records, children who are in care, in some cases criminal records," Nick Pickles, director at the privacy campaign group, told ZDNet UK. "[The] information that has been lost is of huge personal significance."

Among the data exposed was the personal information of 3,100 children or students, with 244 laptops and 98 memory sticks going missing. Nine people lost their jobs over the breaches, and only 55 incidents were reported to the Information Commissioner's Office (ICO).

Inconsistency in reporting

"One of the concerns we had was an inconsistency in terms of standards of data-loss reporting," Big Brother Watch research director Maria Fort told ZDNet UK. "The ICO doesn't seem to necessarily require a consistent standard of reporting."

Big Brother Watch had responses to its FOI requests from 395 local authorities, and 263 reported no loss or theft of data. However, it noted that councils have different ideas about what constitutes a serious data loss, and have no standard format for reporting loss of data. The privacy group called for local authorities to have a policy of encrypting data, and for the ICO to have the power to do data-protection audits on such organisations without their consent.

As examples of incidents, the report noted Birmingham's local authority had lost a USB stick with the details of 64,000 people, which was not recovered. Kensington and Chelsea said documents such as photographs had been left in a pub, and Luton was unable to find 60 of its USB sticks.

ICO reponse

The ICO would welcome greater auditing powers and a standard format for data reporting, according to a spokesman for the data protection authority.

"Any data loss is a cause for concern," the spokesman told ZDNet UK. "We don't expect to be informed about all data losses, but if data losses are serious... we should be informed as a matter of course."

The severity of a data breach can be judged by the nature and amount of the information that is lost, he said, adding that local authorities are under no legal obligation to report such losses or thefts.

This means the ICO cannot request that local authorities submit data loss reports in a standard format, he said, though the Department for Communities and Local Government (DCLG) has the authority to do so.

However, the DCLG said it has no plans to offer guidance to councils on the matter. "We could produce guidance on this, but this is an issue between councils and the ICO," a spokesman for the department said. "It is [local authorities'] duty to report to the ICO."

Communities minister Grant Shapps said he welcomed the Big Brother Watch report. "This reinforces the need for steps to protect the privacy of law-abiding local residents," Shapps said in a statement. "Civil liberties are under threat from the abuse of town hall surveillance powers, municipal nosy parkers rummaging through household bins and town hall officials losing sensitive personal data on children in care."